- ICO finds most internal cyber attacks in the United Kingdom schools caused by students
- Many violations linked to weak passwords or recorded session exploited by students
- Officials urge schools and parents to guide curiosity in legal positive channels
The Information Commissioner Office (ICO) warned that students are increasingly behind internal cyber attacks in schools and universities in the United Kingdom.
Between January 2022 and August 2024, the ICO analyzed 215 reports of data violation of the education sector that involve internal threats.
He found that 57% of the incidents were caused by students. Almost a third arose from the login details stolen or guessed, with the students responsible for 97% of these cases.
Log in, do not break
While Hollywood has portrayed adolescent computer pirates with a glamor degree in films such as Ferris Bueller’s free day either HackersThe reality described by ICO is more mundane and more harmful.
Children are not entering the systems, but are starting session, often exploiting weak passwords or taking advantage of bad data protection practices.
A case highlighted by the ICO showed how quickly curiosity can become a serious violation.
“Three Year 11 students illegally agreed to the information management system of a high school, which contains personal information of more than 1,400 students. When asked, the students admitted to being interested in it and cyber security, and who wanted to prove their skills and knowledge. Students used tools downloaded from the Internet to break the passwords and security protocols, with two of the students who admitted that they belonged to a forum of Online hackers “. “
In another example of the ICO:
“A student illegally agreed to the information management system of a university, then saw, modified or eliminated personal information that belongs to more than 9,000 employees, students and applicants. The system stored personal information, such as the name and address of the household, school records, health data, safeguard and pastoral contacts and emergency contacts. University research access its systems.
The ICO found that 23% of the incidents in the education sector were caused by poor data protection practices, such as personnel accessing records without a legitimate need, leaving unattended devices or allowing students to use personnel devices.
Another 20% involved personnel who send data to personal accounts, while 17% came from poorly configured access rights.
5% involved experts deliberately without overlooking network security.
“While educational environments are experiencing a large number of cyber attacks, there is still increasing evidence that” internal threat “is little known, largely without remedy and can lead to the future risk of damage and crime,” said Heather Toomey, the main cyber specialist.
“What begins as a challenge, a challenge, a little fun in a school environment can lead children to participate in harmful attacks against organizations or critical infrastructure.”
The ICO urges schools to strengthen training, reduce unnecessary access and ensure that data protection is regularly updated.
Parents are also encouraged openly with their children about online behavior, with the aim of directing curiosity in positive channels instead of criminal activity.
“It is important that we understand the interests and motivations of the next generation in the online world to ensure that children remain on the right side of the law and progress to rewarding careers in a sector that constantly needs specialists,” Toomey concluded.
